From: cinap_lenrek@gmx.de
To: 9fans@9fans.net
Subject: Re: [9fans] dns
Date: Tue, 28 Aug 2012 03:45:35 +0200 [thread overview]
Message-ID: <806339976624fc730c3d8ca5cad22d81@rei2.9hal> (raw)
In-Reply-To: <51521AAF-F781-4D9C-B430-488487761B75@ar.aichi-u.ac.jp>
very good. thanks.
one wired thing is that the string pointer (0xfb900) it
tried to free (char *domain) points in the middle of the
querylck array of a allocated DN.
thats not a valid alloc block indeed.
there migh'v been a block there, but it got accidently freed
and then the space reused for that DN, or the pointer itself
got corrupted (only possible from our current process as its
stored on the stack which is private to our proc).
theres a block (0xfb9a0) after it that satisfies the requirement
of being the real thing (alloc callerpc is right after the smprint(),
still valid ip address string).
the char *domain pointer is stored on the stack at 0x74(SP).
char conndir[40] starts at 0x4c(SP). 0x4c+40 = 0x74 so if
dial overflows conndir (off by one error?) it could indeed
trash that pointer overriding the lsb of char *domain resulting
in bogus 0xfb900 address instead of 0xfb9a0.
acid: dump(0xdfffc8b4, 44/4, "X")
0xdfffc8b4: 0x74656e2f <- char conndir[40]
0xdfffc8b8: 0x7063742f
0xdfffc8bc: 0x0000392f
0xdfffc8c0: 0x00000000
0xdfffc8c4: 0x00000000
0xdfffc8c8: 0x00000000
0xdfffc8cc: 0x00000000
0xdfffc8d0: 0x00000000
0xdfffc8d4: 0x00000000
0xdfffc8d8: 0x00000000
0xdfffc8dc: 0x000fb900 <- char *domain
/sys/include/libc.h:480: #define NETPATHLEN 40
from sources /sys/src/libc/9sys/dial.c
static int
fillinds(DS *ds, Dest *dp)
{
Conn *conn;
if (dp->winner < 0)
return -1;
conn = &dp->conn[dp->winner];
if (ds->cfdp)
*ds->cfdp = conn->cfd;
if (ds->dir) {
strncpy(ds->dir, conn->dir, NETPATHLEN);
ds->dir[NETPATHLEN] = '\0'; <---- fuck!
}
return conn->dfd;
}
this bug was introduced with the new parallel dial implementation.
the old sequential dial doesnt have this bug so 9front systems are
not affected.
someone make a patch.
--
cinap
next prev parent reply other threads:[~2012-08-28 1:45 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-21 1:51 Jeff Sickel
2012-08-21 1:59 ` erik quanstrom
2012-08-21 4:23 ` arisawa
2012-08-21 5:08 ` Jeff Sickel
2012-08-21 8:42 ` Kenji Arisawa
2012-08-21 11:27 ` cinap_lenrek
2012-08-21 12:18 ` Lucio De Re
2012-08-21 12:37 ` arisawa
2012-08-21 18:32 ` erik quanstrom
2012-08-21 20:05 ` Charles Forsyth
[not found] ` <CAOw7k5hALBex13jJUbscVt4th-Z9urpmAP0eOBi7b1HuBQESrw@mail.gmail.c>
2012-08-21 20:41 ` erik quanstrom
2012-08-21 22:44 ` cinap_lenrek
2012-08-22 10:32 ` cinap_lenrek
2012-08-22 12:09 ` Kenji Arisawa
2012-08-22 12:35 ` cinap_lenrek
2012-08-22 13:05 ` erik quanstrom
2012-08-22 13:08 ` erik quanstrom
2012-08-22 13:11 ` Charles Forsyth
[not found] ` <CAOw7k5gGhL-=E=V1C9ffQP7qMyUVMhtrgpzLMidnCsHFGDzHwA@mail.gmail.c>
2012-08-22 13:18 ` erik quanstrom
2012-08-22 13:21 ` Charles Forsyth
2012-08-22 13:31 ` cinap_lenrek
2012-08-22 14:22 ` erik quanstrom
2012-08-22 14:41 ` Charles Forsyth
2012-08-22 14:47 ` cinap_lenrek
2012-08-22 15:26 ` erik quanstrom
2012-08-22 15:33 ` erik quanstrom
2012-08-22 15:35 ` erik quanstrom
[not found] ` <CAOw7k5jOE0Bf13fXJ04dUF4vGniRTJ1LwEMV1Oqw=AFKg77boA@mail.gmail.com>
2012-08-22 16:05 ` Charles Forsyth
2012-08-22 13:23 ` Lucio De Re
2012-08-25 0:10 ` Kenji Arisawa
2012-08-25 10:54 ` cinap_lenrek
2012-08-25 12:37 ` Kenji Arisawa
2012-08-25 13:22 ` cinap_lenrek
2012-08-25 13:38 ` cinap_lenrek
2012-08-25 13:41 ` Charles Forsyth
2012-08-25 13:44 ` cinap_lenrek
2012-08-27 22:44 ` arisawa
2012-08-28 1:45 ` cinap_lenrek [this message]
2012-08-28 1:57 ` erik quanstrom
2012-08-28 2:08 ` cinap_lenrek
2012-08-28 4:03 ` erik quanstrom
2012-09-08 17:37 ` Skip Tavakkolian
2012-09-08 18:02 ` cinap_lenrek
2012-09-08 18:18 ` cinap_lenrek
2012-09-08 21:53 ` Skip Tavakkolian
2012-09-08 22:27 ` cinap_lenrek
2012-09-09 2:09 ` Charles Forsyth
2012-09-09 2:37 ` cinap_lenrek
2012-09-09 3:01 ` Charles Forsyth
[not found] ` <CAOw7k5jydN7wssxBEqTc6h9FtLErjkoyxyfuQZLgcBTZ-nRgiw@mail.gmail.c>
2012-09-09 4:26 ` erik quanstrom
2012-09-09 5:28 ` Skip Tavakkolian
2012-08-25 21:56 ` cinap_lenrek
2012-08-26 13:16 ` cinap_lenrek
2012-08-26 13:36 ` Charles Forsyth
2012-08-21 5:08 ` Benjamin Huntsman
-- strict thread matches above, loose matches on Subject: below --
2017-04-01 1:28 [9fans] DNS cinap_lenrek
2017-04-01 3:40 ` Skip Tavakkolian
2017-04-01 9:46 ` Alexandru Gheorghe
2017-04-01 17:04 ` Steve Simon
2017-04-03 7:06 ` David Arroyo
2017-03-20 7:26 Skip Tavakkolian
2017-03-21 19:19 ` Skip Tavakkolian
2017-03-30 22:19 ` Steve Simon
2017-03-31 7:43 ` Peter Hull
2012-08-26 14:48 [9fans] dns cinap_lenrek
2007-08-15 19:26 erik quanstrom
2007-07-03 20:54 erik quanstrom
2007-07-04 20:51 ` geoff
2007-07-04 21:18 ` erik quanstrom
2007-07-04 21:52 ` geoff
2004-03-20 2:25 David Presotto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=806339976624fc730c3d8ca5cad22d81@rei2.9hal \
--to=cinap_lenrek@gmx.de \
--cc=9fans@9fans.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).